HD-DVD and Blu-Ray Protections Fully Broken

gEvil (beta) writes "According to an article at BoingBoing, the processing keys for the AACS encryption scheme used by both HD-DVD and Blu-Ray video discs have been extracted, and a crack has been released. What this means is that there is now a method to extract the copy-protected content of any HD-DVD or Blu-Ray disc out there. This is different from Muslix64's previous crack, which only extracted the volume key for each disc. This new method bypasses this step and allows anyone to extract the data without first requiring the volume key."

Doom9's Forum

[yanos]

It all starts here: http://forum.doom9.org/showthread.php?t=121866&pag e=6 [doom9.org]

Later posts seem to confirm that it works for both BR and HD-DVD

Re:All DRM implementations will be broken.

[TheSpoom]

Indeed. These guys should have listened to Cory Doctorow when he was talking at Microsoft [uberm00.net]. Unfortunately, it seems they didn't get it either.

Not Really Broken

[Jah-Wren Ryel]

The guy just pulled the device keys for windvd and/or powerdvd from system memory. People have already been pulling the volume keys from memory so this was just an incremental step. The keys will be revoked (which really means that future discs will not include support for the compromised device keys, there is no actual 'taking back' of the keys as the word 'revoke' tends to imply).

One key thing to take away from this is that the authors of the software made it really easy to pull the device keys out of memory for two reasons

1. They kept them in variables that were physically near the variables for the volume key
2. They zero-ed them out after use, leaving big gaping holes of zeros in memory in a place where that kind of looked funny, drawing attention to those areas

If they are smart (and if the MPAA even give them another chance), the powerdvd/windvd authors will reimplement their AACS decryption code to never store the keys in memory. Without double-checking, I believe the keys are only 128 bits, they could be loaded into the SSE registers in encrypted form and then decrypted on chip. The authors will still need to take measures to prevent an OS context switch from storing the registers in kernel-private memory during the period in which the device keys are present, but that is not an extended period of time, presumably they can kick their priority up high enough that it won't happen without hurting the system much.

Even that approach isn't hack-proof, but it is a lot harder to dump the cpu registers under such conditions than it is to trace memory accesses.

Re:All DRM implementations will be broken.

[CastrTroy]

Security through obscurity means that you hide the way your security algorithm works in order to make it seem more secure than it is. Take a safe for instance. Security through obscurity would be trying to hide how the safe was designed, and trying to stop the thief from touching the safe in order to prevent them from breaking into it. A safe that doesn't rely on security through obscurity means that you could give the plans to the safe, to show how it's made, and all the mechanisms inside, as well as give him free access to the safe to try to do a bunch of things with it, and you would still be sure that he wouldn't break into the safe, short of using brute force. Common encryption algorithms like RSA are believed to be secure, even though everybody already knows how they work. The only way people know to break them, is to try all the keys. This is like trying every possible combination on a safe, in order to open it. Instead of safes which aren't really secure, that you can break just by listening to the tumblers with a stethescope.

Re:Not Really Broken

[Jah-Wren Ryel]

Couldn't you still load the program into gdb and get the register values that way? Or is there something in the modern versions of MS Windows that prevents using a debugger?

Under most versions of unix, only one debugger can attach to a process at a time. So an easy trick to prevent being debugged is to make the program attach to itself, thus locking out other debuggers. Some unices don't let a process attach to itself, but for those it may be possible to fork a child and have each process mutually debug the other. I'm not an NT programmer, but I would bet something along those lines works the same there too.

Don't get me wrong, nothing is fool-proof (and I said so in my first post) the best these guys can do is make it difficult. So far, the windvd/powerdvd guys just wiped the device key from memory after use which is about the bare minimum - they could have done lots more without too much effort.

Re:Not Really Broken

[plalonde2]

it is a lot harder to dump the cpu registers under such conditions than it is to trace memory accesses.

You've clearly never worked with a good hardware-assisted debugger. And virtualization makes this scenario possible without debugger hardware support.

Even more, no matter what, the key has to make its way from the device to the CPU register. On every modern machine that transaction goes through memory. Which means that brute-force tracing from the device to the registers should be able to find it. Not necessarily easily, but quite doable.

DRM is dead. Let's bury it.

Re:Nice.

[Anonymous Coward]

Editor's Note: Houston is a porno actress who was supposed to gang bang 500 men and wound up gangbanging 620 men instead. So the parent post would suggest that only 620 movies would be online in five years. I suspect that there will be many more movies online.

Re:Nope, it's really cracked

[FireFury03]

In theory yes, but how easy do you believe it is to update all those specialized video players, all offline?

You don't need the hardware to be networked in order to do key revokation - all the current discs continue to work just fine, but future discs will be encoded so they cannot be decoded with this key (this is the basis of AACS key revokation).

This is definately not "fully broken" - fully broken is when I can use the crack indefinately *without* having to get a new player and extract a key from it every so often. i.e. it involves finding a flaw in the algorithm that allows you to decode the disc without needing to extract any data from a legitimate player to do so.

Re:props to Muslix64 and hackers everywhere

[h2g2bob]

Sorry everybody, but it's not.

That said, they have got a player key now, so all disks published to date can be decoded.

Each player has its own player key, and each disk accepts any player key in its list (the player key is used to decode the volume key which decodes the film).

With this player key, they can decode any HD-DVD which has been printed already. However, as the key has now been compromised, future disks will not accept that player key. The software will have its player key updated, but the software will be tightened in an attempt to remove this loophole.

Take a look at the archives of http://www.freedom-to-tinker.com/ [freedom-to-tinker.com] for a detailed discussion.

Re:All DRM implementations will be broken.

[dpilot]

I wouldn't be quite so optimistic. The difference is that at least some of the people involved in crafting TPM know something about security, as opposed to the people doing DRM and touch-screen voting machines. There has been quite a bit of art and work involved in developing tamper-resistant chips, and at least some of the TPM implementations use this art.

Of course the devil is in the details. It's fully possible to build an insecure system around a secure TPM chip, and no doubt that's going to be done, too.

Then again, TPM isn't bad, on it's own. It really depends on who owns the TPM. As long as I own it, it just might be good. The moment someone else owns it, then I merely pretend to own my system that has it, and that's bad. Some time ago, I picked the (M) stuff for the kernel build on my Thinkpad, and have been building them ever since. I've never used them yet, but if SOMEBODY is going to be controlling that chip, I want it to be ME.

All TPM implementations will be broken.

[Anonymous Coward]

Then I guess you better call up IBM and tell them just how much smarter than them you are. I'm certain they would have never thought of an acid bath, or an electron microscope.

BTW to the poster who asked: when will media companies give up? I'll ask, when will people stop trying to get content without paying for it?

Re:All DRM implementations will be broken.

[AeroIllini]

And the problem with TPM is that you still have access to the hardware.

No, the problem with TPM was that lousy Jar-Jar character. He had more than enough jibber-jabber.

Re:look at book publishers...

[AJWM]

And one of the big publishers of e-books, Baen Books, not only doesn't bother with DRM, they make the content available in multiple formats, and even offer entire ebooks free (see the Baen Free Library [baen.com].) They occasionally put out a CD full of big name SF and fantasy books, and encourage copying (just don't charge money for it). Anything to get folks hooked ;-)

The authors involved agree that this helps get their names out and generates demand for paper copies and paid-for e-copies of their work. The reduced overhead of e-publishing compared to paper publishing more than covers any "piracy", I guess. The "Baen's Universe" e-magazine pays the authors better rates than the current paper magazines (Asimov's, Analog, etc) do. (Don't know about the book payment side. I hope to find out first hand at some point ;-)

Re:All DRM implementations will be broken.

[tfinniga]

So, like some of the other posters mentioned, the confusing part is security through obscurity vs. using secrets.

It can be shown that if two people know a secret, they can exchange information over a common channel, and eavesdroppers can't decrypt the message without trying every possible secret. This is somewhat like sending a safe through the mail - anyone intercepting packages at the post office would have to try every possible combination to get it open. Even if they knew the design of the safe. Even if they had helped design the safe.

A real-world example of this is the design of the ATM [oldskool.org]: The author used public-key encryption so that even if he were trying to break the encryption, he wouldn't be able to. While he made the design, he doesn't know the secret key.

The reason such strong encryption can't be used on DRM is because they have to give you the secret. It's like giving you a safe, giving you the code, and then telling you that you should only open it in certain circumstances.

Re:Horseshoe racket

[Firethorn]

Like most analogies, it ultimately breaks down. Still, the RIAA/MPAA marketing models are increasingly flawed.

That doesn't mean that they have to get out of the movie(blacksmithing) making business. It's just that they have to realize that they're not going to sell physical media products such as VHS tapes and DVDs forever. DRM isn't working, giving only months of protection in this case. Most of the anime DVDs I purchase don't have DRM. They have empty keys and the macrovision bit isn't set*. Why? The Anime companies took a look at their target market and figured out that DRM A: Annoys their customer base, and B: said customer base is on average technically skilled enough that DRM is less than an annoyance to their copying efforts. Yet they can still make money on sales.

Music content is shifting away from CDs to online, why shouldn't movies? Heck, I'd love to be able to purchase a movie online, then download it to my computer/DVR to watch while I do something else. It'd be faster than netflix and not require so much personal time as a rental place that I have to drive to(not to mention better selection).

Most people are willing to pay money for a legitimate product as long as it's competitive with the real one. Generally the legitimate producer has advantages of superior quality, the ability to advertise, operate a real storefront, etc... Illegal producers have the advantage of not having to create the material, allowing them to be cheaper.

The MPAA/RIAA have both messed up in their attempts to move into the market niche currently taken by pirates(online), by their insistance on using DRM, as it has in some cases managed to give the pirates an advantage: Their version's superior. One example was a couple DVDs released by disney that had 5 minutes of non-skippable advertising before the movie could be played. Another would be MP3's downloaded off the internet vs the commercial CD which attempts to silently install a back-door DRM that leaves a mile-wide vulnerability in your system. For that matter, storing movies on a TB size DVR type device vs having hundreds of DVDs that you have to physically search through to find the video you want to see.

*setting it costs $, and since the companies found that it's effectivness in preventing copying approached zero, decided not to waste the money.

Re:props to Muslix64 and hackers everywhere

[D3viL]

You would be correct, execpt what has been relesed is not the player key. In fact the player (device) key is one of the two that have not been released, the other one being the root key held by AACS LA. The key that has just been released and reusulted in this article is the processing key which can (and probably will) be changed for any disc authored after the previous key bacame known. The key difference is that the player key is linked to the specific player whereas the processing key is specific to the hddvd/blueray discs created with it and will continue to be valid for those discs even after new ones are produced with a new key. Relasesing a device key would be counterproductive as indiviual device keys can be blacklisted meaning if you had one you would have to break a new player device (hardware or software).

MOD PARENT Up!

[tacokill]

This is the real story here. Mod parent up.

Essentially, what he is saying is this: while the crack is temporary, the method of attack is unassailable under the current model.

That's whats important here. If keys get revoked, its a trivial matter to go get them again. The hard work has been done. Now all you have to do is follow procedures and -voila- you can crack AACS too.

Despite other comments on this board, AACS IS cracked.

Re:Yes, someone walk us through this.

[Virak]

Unless the Wikipedia article [wikipedia.org] is horribly wrong, or I'm misreading that, I'm pretty sure that's not a known-plaintext attack. Known-plaintext attacks (again, assuming Wikipedia is correct; IANAC) use the ciphertext and its known plaintext to derive the information necessary to decrypt further data encrypted the same way; in this case, the processing key. It'd be a known-plaintext attack if they used a C value decrypted with the old key and the same C value encrypted with the new key to get the new processing key. The method that person proposed is much easier, instead relying on the fact that the memory location the key is stored in is unlikely to change, as it is of a fixed size and as a result only needs memory allocated for it once.

Of course, there's nothing stopping them from simply moving the key around each time, however then you merely need to find the location that the pointer to the key's location is stored to defeat that. They could also pile on more layers of obscurity of a wide variety of types in order to protect the ones below them, but they'll merely delay the inevitable, like all DRM, as you have no way of knowing if a customer could be a possible attacker and thus must allow everyone access to the content.

Re:props to Muslix64 and hackers everywhere

[niiler]

It sounds like the new encryption scheme was based on the fact that the Key would be in active memory for such a short period of time that it would be effectively irretrievable. All the hacker did was to slow the decoding process down so that the instant the Media key entered memory, the player was stopped and the Media key was recorded. While it might sound simple to "patch the software" to guard against this, the hacker has found the weak point in the whole scheme. This, to me sounds like a major rewrite, not a patch. And even if there is a rewrite, you still need to give the key to your audience at some point or they can't watch the video. This sounds like a losing proposition from the security viewpoint.

Re:Not Really Broken

[Jah-Wren Ryel]

No, like so many others posting in this thread, you don't know how AACS works. Which is shameful since wikipedia spells it out.

Each volume key is encrypted a couple of thousand times and stored on the media. Each encryption is done with an individual device key. If your player's device key was not used for any of those volume key encryptions (as in it was revoked), your player will not be able to decrypt the volume key and thus will not be able to decrypt the movie. So there is no way to simply patch a routine to always return "OK" because it doesn't return OK, it returns the key needed to decrypt the movie.

Re:All DRM implementations will be broken.

[JohnFluxx]

Just FYI, use of an electron microscope is pretty cheap too. I'm charged £35 ($70) an hour.

Re:All DRM implementations will be broken.

[olman]

But I'd also assert that a well-designed TPM setup is WAY beyond the resources of DVD John, the AACS crackers, and maybe even the distributed.net efforts.

Just one good example here.. Xbox 360. It's been out for a while and the DRM is still essentially there. Except that games can be COPIED. But forget about playing that "backup" of brand new R1 game in your R2 console, pardner. Region codes are NOT hacked.
Neither is requirement for signed code.

So what the modchips essentially do is hack the dvd drive to give "we're good here" response to appropriate media query, but you need 1:1 copy of the original media to pull that off or the signature won't match.

No media center for X360, thought. XNA program does not let you do it even after you fork out $99/year for the privilege because XNA progs cannot use network (and access your huge collection of dvd rips and mp3s)

Re:The problem

[owlstead]

"This is what makes movie DRM untenable. Since the format of the disks is publicly known (to insure that UNencrypted disks operate correctly), attackers know that they can discard solutions after decrypting very little of the ciphertext (probably just one byte)."

Bollocks. AES (used by AACS) and many other ciphers are pretty well protected against known plain text attacks. Furthermore, with common block sizes of 8 and 16 bytes it would be very hard to decrypt just a single byte.

Re:All DRM implementations will be broken.

[radtea]

It's merely a matter of making it hard enough to stop most attacks.

Nope--it's like the IRA said to Mrs. Thatcher: "To stay alive you have to get lucky every time. To kill you we only have to get lucky once."

And real security isn't through obscurity: it is through physical denial of access to the decryption key. What even hardened TPM chips do is more akin to handing a user a safe with the key inside, and giving them unlimited time and all the resources they feel like using to open it. Grad students with access to x-ray micrographs [oxfordjournals.org], people who like to solve near-field problems...

Additionally, here's a nice summary of one of the many non-physical reasons why TPM is not secure:

There is a risk of serious data loss in the event that a TPM security chip or hard drive is corrupted or if a user leaves the organization. For example, organizations may need access to a former employee's encrypted data or TPM-secured keys for disaster recovery purposes. The archive and recovery of keys protected by the Trusted Platform Module security chip is vital for all businesses and especially those needing to retain access to encrypted data for a predetermined time. Security and data integrity must be maintained while ensuring proper archive procedures and recovery by someone other than the original user. Additionally, transferring data to a replacement PC requires an enterprise-level process for transferring the appropriate TPM-secured application keys. [wikipedia.org]

Ergo, some users must ultimately have access to keys to ensure failure recovery. Given everything we know about users, it would be ill-advised to bet against breaches driven by user behaviour even if the physically impossible were achieved and someone was able to make the hardware genuinely secure.

I can just see the headlines in 2010: "Intel Admits TPM Keys Leaked"

Re:MOD PARENT Up!

[xenobyte]

Actually they cannot refuse providing the new key to all licensed software players... the producers of these have a contract that - if broken by the MPAA - guarantees a major lawsuit for damages and loss of income. MPAA will be financially wiped out by just denying a new key to one major software player, let alone all of them.

But then, hardware players can also be debugged just like a software player - it's a bit more cumbersome but it can be done or there would be no hardware players.